On Fri, 14 Dec 2012, Christopher Morrow wrote: > On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis <alte...@alter3d.ca> > wrote: > > In my experience, free/cheap certs "not working" on some clients is, in > > 99.9% of cases, a misconfiguration error where the server isn't presenting > > the cert chain properly (usually omitting the intermediate cert), which > > works on some platforms (often because they include the intermediate certs > > to work around these kinds of problems) but not on others. Fixing the cert > > chain that's presented to the client has ALWAYS resolved these types of > > issues in my experience. > > and in the case of the original topic... if the gmail servers don't > accept StartSSL certs, please let me know I'll see about a fix.
Tangentially to this: any chance of supporting TLSA/DANE records for _110._tcp.domain and _995._tcp.domain? (and the IMAP equivalents). That would let people carry on using self signed certs who prefer to and let people who have a cert that chains back to a root CA assert which root CA the cert should chain back to, which would be nice in these days of diginotar and comodo hacks... -- [http://pointless.net/] [0x2ECA0975]